sendity/laravel-server

Self-hosted Sendity server implementation for Laravel

Maintainers

Package info

gitlab.com/sendity/server/laravel

Issues

pkg:composer/sendity/laravel-server

Transparency log

Statistics

Installs: 12

Dependents: 0

Suggesters: 0

Stars: 0

v0.3.0-beta.4 2026-07-14 07:06 UTC

README

Reusable Laravel package for running the Sendity API in a Laravel runtime.

composer require sendity/laravel-server

Boundary

This is a PHP/Laravel package. It is not the public Sendity website and it does not own Docker-era hosted-app wiring.

It owns:

  • AuthRequest creation and status endpoints.
  • inbound channel webhook endpoints:
    • email receives raw message/rfc822 bodies and delegates DKIM/MIME/code extraction to sendity/email-channel;
    • non-email channels continue to use their package-specific JSON adapters.
  • webhook signature and replay validation.
  • JWT issuing and JWKS publication.
  • realtime/broadcasting auth metadata for AuthRequest status updates.

It intentionally does not own:

  • the <x-sendity /> Blade wrapper for customer applications;
  • browser UI defaults such as SENDITY_CLIENT_SCRIPT_URL or SENDITY_VERIFY_URLS;
  • the hosted marketing/customer website;
  • Docker/Traefik deployment manifests.

Compatibility

  • PHP: >=8.2
  • Laravel components: ^12.0|^13.0
  • Testbench: ^10.0|^11.0

Important environment variables

SENDITY_ROUTE_PREFIX=sendity
SENDITY_JWT_ALGORITHM=RS256
SENDITY_JWT_PRIVATE_KEY_BASE64=
SENDITY_JWT_PUBLIC_KEY_BASE64=
SENDITY_JWT_ISSUER=https://sendity.io
SENDITY_DEFAULT_TOKEN_TTL=600
SENDITY_AUTH_REQUEST_TTL=300
SENDITY_WEBHOOK_SECRET=
SENDITY_EMAIL_MAX_MESSAGE_BYTES=262144
SENDITY_EMAIL_MAX_EXTRACTED_CODES=5
SENDITY_PHONE_RECIPIENT=+4915888620026
SENDITY_RCS_SERVICE_ID=sendity_agent@rbm.goog
SENDITY_APP_PHONE_SMS_FALLBACK_ALLOWED=false
SENDITY_BROADCASTING_ENABLED=true

TTL values are application configuration. They are not accepted as client request payload fields.

AuthRequest creation returns one server-owned verification_action. The browser may provide bounded localized email_body and phone_text templates; the server substitutes the formatted code and the validated origin hostname, selects the configured recipient, and builds the complete action URL. Email uses the code as subject and a localized return instruction as body. Phone uses the code-and-return instruction as body. For a Twilio/Google RCS setup, recipient remains the SMS fallback number, optional rcs_recipient contains the configured RBM agent ID, and url contains the complete sms: deep link with service_id and body. Browser clients display only the primary recipient and use the URL unchanged.

Polling can report pending, received, or verified. Verification rejections such as failed DKIM checks or a disallowed SMS fallback are exposed through latest_verification_rejection and broadcast as .verification.rejected.

Hosted sendity.io exposes the public Sendity API through the website Laravel process under /api/*. A direct self-hosted runtime can use the package default /sendity/* prefix or configure another prefix.